APT17 Encoded Command-and-Control Communications on Profiles and Forums of IT Professional Community

MILPITAS, Calif. – May 14, 2015 – FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, released the new Intelligence Report “Hiding in Plain Sight: FireEye Exposes Chinese APT Obfuscation Tactic.” FireEye Threat Intelligence and the Microsoft Threat Intelligence Center investigated a new command-and-control (CnC) obfuscation tactic that had been used on Microsoft TechNet, a web portal for IT professionals. FireEye has determined that APT17, a China-based advanced persistent threat group, posted in forum threads and created profile pages to host encoded CnC IP addresses that would direct a variant of the BLACKCOFFEE backdoor to their CnC server. TechNet’s security was not compromised in this tactic, which could work on other forums and boards as well.

APT17 has a history of targeting US government entities, international nongovernment organizations, and private companies from around the world, including in those in the defense industry, law firms, information technology companies, and mining companies. The group has also been one of the few, but growing number of, groups to use popular websites for their legitimate purposes in order to encode their CnC communications. Previously, APT17 had been observed using the popular search engines Google and Bing to obfuscate their activities and host locations from security professionals.

“This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organizations to detect and prevent advanced threats,” said Laura Galante, Manager, Threat Intelligence, FireEye. “Given its effectiveness, we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world. However, by working closely with companies like Microsoft and targeted organizations to develop threat intelligence, we can assist security professionals and disrupt these activities.”

For businesses and security practitioners, FireEye released Indicators of Compromise (IOCs) for BLACKCOFFEE at: https://github.com/fireeye/iocs. Microsoft has released signatures for its anti-malware products.